Re: SQL audit
Date: Thu, 24 Dec 2009 08:43:16 -0800 (PST)
The network and windows guys had a bit of a heads up on me, so everything was already in place on their side, where I had a shorter window to put SOX compliance in place, (3 months for everything, but luckily I'd been on two larger projects for other companies, so had a lot of previous scripts and experience to fall back on.
- Password "friendliness" for Oracle-
The justification was signed off on for Oracle's limitations and best practice for passwords and should be noted, no special characters were required in the passwords for Oracle, where they were required in the Oracle apps front end piece. Auditing for passwords was implemented and I monitored for the last changed date. I monitored to ensure that passwords had a capital letter and a number in the password. If they did not have this, the account was locked, (yes, it was locked, that was the requirement...) It was a homegrown kshell script with SQL, nothing more than that I remember to track this was needed.
-Apps Password syncronization-
This was another shell script using the FNDCPASS command to reset passwords. Performing the task in the correct order, passing in the new SYSTEM password once reset to then set the apps schema passwords. I did hold my breath the first couple run, hoping to God I wouldn't be recovering a test Oracle apps database that weekend... :) I was still a pretty new DBA to Oracle E-Business Suite at that time and I wasn't positive I had all my ducks in a row yet...
We already reset our Oracle OS accounts every 90 days, so that was pre-scripted and easily executed on our end. Like I said, the Network and Windows folks already had all their's setup, so every 90 days, they had to reset. I considered going to OID, but there just wasn't enough time to implement, where I can write a shell script to do just about anything... We should also note- I created this all from scratch, got it into place and then we promptly went out of business... sigh...:)
"Go away before I replace you with a very small and efficient shell script..."
- On Tue, 12/22/09, Jared Still <jkstill_at_gmail.com> wrote:
From: Jared Still <jkstill_at_gmail.com>
Subject: Re: SQL audit
To: "Kellyn Pedersen" <kjped1313_at_yahoo.com> Cc: rtylka_at_gmail.com, "Oracle-l" <oracle-l_at_freelists.org> Date: Tuesday, December 22, 2009, 8:01 AM
On Mon, Dec 21, 2009 at 6:02 PM, Kellyn Pedersen <kjped1313_at_yahoo.com> wrote:
- that Oracle application users passwords were set to the same complexity requirements as network logins.
Unless all databases are 11g+, or the network password requirements are very simple, my not be enforceable, as passwords for any version of Oracle less than 11g are case insensitive.
Many password policies require a combination of upper and lower case. A password policy that requires any 2 of these 3 is more friendly to Oracle:
* upper and lower case * special characters (punctuation) * one or more digits
A minimum length limit. I think 8 is fairly common.
With Oracle I find it better to use long passwords (15 characters or more) and skip the punctuation characters. Many utilities (adpatch, txkreg.pl, ...) do not work properly with some special characters.
How did you deal the Oracle Password limitations?
- And scripted out the ability to reset all Oracle/App system passwords every 90 days.
Interesting requirement. Did the auditors also require that all windows service account passwords and unix software owner accounts be reset every 90 days?
If not, there's not a lot of point in changing the oracle/app passwords.
If so, that must really be interesting, particularly in the case of the service accounts.